It’s important for you to know that HIPAA compliance covers the cybersecurity measures necessary for EVV. That information is straight from an email issued by ANCOR, which cites the EVV legislation as its source, along with Tim Hill, the Director of CMCS.
Last year, as a service to our members, OPRA partnered with MyHIPAA Guide to spearhead the development of a HIPAA compliance program for the residential sector. This is the only program of its kind available for residential providers.
The program includes all the materials you need for compliance, plus an option for unlimited phone and email consultation to help you through the process of protecting of private health information.
With EVV right around the corner, we are offering a $100 discount off the price of an annual subscription with the coupon code: OPRA2018.
Go to hipaa.opra.org to subscribe.
Key Point: If you don’t document it, you can’t prove you have followed privacy regulations — meaning you could face penalties. Security policies and procedures are mandated under the Health Information Portability & Accountability Act (HIPAA), and the regs are very specific about the policies and procedures you need to implement.
Through your documentation of policies and procedures, specify the security measures you have in place and the procedures you have for ensuring daily vigilance.
Keep in mind: Document everything, including all assessments, precautions, procedures, actions, findings, and processes covered under HIPAA requirements. Organize your compliance documentation in central locations, so both paper and electronic records can be easily referenced.
Ask yourself if you are keeping records of:
- Procedures for distributing privacy notices (which should include instructions on how to file complaints and report security concerns)
- Security policies and procedures (including written records of required actions, activities, or assessments)
- Complaint resolutions
- Updates to policies and procedures
- Sanctions against workforce members relating to privacy or security issues
- Staff training
- Business Associate Agreements
Be sure to keep privacy records for six years from creation of a document, or the last effective date. Also, periodically review and update documentation in response to changing conditions — such as a move to a new location — that impact the security of private health information.
Note to readers: See the right rail of hipaa.opra.org for HIPAA documentation and consultation services tailored for residential services providers.
At the start of each new year, it is always good to look back at federal settlements under the Health Insurance Portability and Accountability Act (HIPAA). That is how you know matters most to the Feds in terms of privacy enforcement.
From 2017, here is a short list of key messages to providers:
- It’s your job to understand HIPAA requirements.
- Execute Business Associate Agreements with vendors and independent contractors with potential access to private health information.
- Don’t rest easy because you have security policies; you also need to manage security processes for daily vigilance.
- If you do experience a privacy problem, report to the Feds in a timely manner.
- Be sure to monitor activity on your databases.
Now let’s take these one by one, with examples illustrating each point. The points are pertinent to all covered under HIPAA, including residential providers and others outside the realm of primary medical care.
Understanding HIPAA requirements:
In a case involving CardioNet, a provider of remote mobile monitoring of heart patients, the Feds said that a lack of understanding of HIPAA creates risk. CardioNet paid the cost of such ignorance in a $2.5 million settlement, stemming from a laptop stolen from an employee’s vehicle, and containing private health information. Read the Press Release.
- Business Associate Agreements:
In April, the Feds put out a news alert with the headline: No Business Associate Agreement? $31K Mistake.
It’s was as if to say “Gotcha” — albeit in a small monetary settlement by HIPAA standards. The case involved a children’s digestive health center. As the Feds were investigating one of the center’s Business Associates, they discovered the absence of a Business Associate agreement, which was the center’s responsibility to execute. Read the Resolution Agreement and Corrective Action Plan – PDF.
- Security management:
In a case involving unauthorized access to health information, Memorial Healthcare System (MHS) paid the Feds $5.5 million to settle potential violations. Private health information had been impermissibly accessed and disclosed through login credentials of a former employee of an affiliated physician’s office. For a year’s time, the unauthorized access took place on a daily basis — and without detection due to a failure to monitor of database activity. Read the Resolution Agreement.
- Timely breach response:
A case involving Children’s Medical Center of Dallas (Children’s) stemmed from impermissible disclosure of unsecured, electronic health information and non-compliance with HIPAA standards over many years, according to the Feds. The Feds issued a notice to Children’s, which included instructions for how Children’s could file a request for a hearing. Children’s did not request a hearing. Children’s paid a civil penalty of $3.2 million, and the Feds called out the issue of timely response. Read the Press Release.
- Monitor databases:
This is essential to HIPAA compliance. In a case resulting in a $2.3 million settlement, the Federal Bureau of Investigation (FBI) notified 21st Century Oncology, Inc. (21CO)
on two separate occasions that patient information was illegally obtained by an unauthorized third party. Evidence included 21CO patient files purchased by an FBI informant. Among other things, the Feds determined that 21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Read the News Release.
The vast majority of HIPAA cases are resolved through corrective action plans that the Feds monitor. That is of course much better than a fine — although Feds will hover for a while. At this writing, there are more than 400 cases under current investigation and summarized at this portal on the website of the U.S. Office for Civil Rights.
Diane Evans is Publisher of MyHIPAA Guide, and her guest viewpoints have appeared in Compliance Today. MyHIPAA Guide worked with the HR Committee of the nonprofit Ohio Provider Resource Center (OPRA) to develop human-centered HIPAA compliance materials tailored to residential providers and facility operators.
We are currently offering a discount on a one-of-its-kind 12-month MyHIPAA Program Planner, complete with goals, tasks and deliverables. Click here. See the right rail of the hipaa.opra.org homepage. All providers can benefit.
Since federal privacy rules require lots of documentation, a frequently asked question is: How long do we have to keep all the documents that accumulate as a result of compliance with the Health Insurance Portability and Accountability Act (HIPAA)?
The answer: Six years — and that means six years after the date of a document’s creation or it’s most recent effective date.
Keep in mind, all HIPAA-related activities must be documented. This includes privacy policies and procedures, privacy notices, resolution of complaints, staff training, business associate agreements and all else pertaining to privacy protections.